Conflict detection in software-defined networks

The SDN architecture facilitates the flexible deployment of network functions. While promoting innovation, this architecture induces yet a higher chance of conflicts compared to conventional networks. The detection of conflicts in SDN is the focus of this work. Restrictions of the formal analytical approach drive our choice of an experimental approach, in which we determine a parameter space and a methodology to perform experiments. We have created a dataset covering a number of situations occurring in SDN. The investigation of the dataset yields a conflict taxonomy composed of various classes organized in three broad types: local, distributed and hidden conflicts. Interestingly, hidden conflicts caused by side-effects of control applications‘ behaviour are completely new. We introduce the new concept of multi-property set, and the ·r (“dot r”) operator for the effective comparison of SDN rules. With these capable means, we present algorithms to detect conflicts and develop a conflict detection prototype. The evaluation of the prototype justifies the correctness and the realizability of our proposed concepts and methodologies for classifying as well as for detecting conflicts. Altogether, our work establishes a foundation for further conflict handling efforts in SDN, e.g., conflict resolution and avoidance. In addition, we point out challenges to be explored. Cuong Tran won the DAAD scholarship for his doctoral research at the Munich Network Management Team, Ludwig-Maximilians-Universität München, and achieved the degree in 2022. He loves to do research on policy conflicts in networked systems, IP multicast and alternatives, network security, and virtualized systems. Besides, teaching and sharing are also among his interests

A review of flow conflicts and solutions in software defined networks (SDN)

Software Defined Networks (SDN) are a modern networking technology introduced to simplify network management via the separation of the data and control planes. Characteristically, flow entries are propagated between the control plane layer and application or data plane layers respectively while following flow table instructions through an OpenFlow protocol. More often than not, conflicts in flows occur as a result of traffic load and priority of instructions in the data plane. Several research works have been conducted on flow conflicts in SDN to reduce their adverse effect. Solutions to flow conflict in SDN have three main limitations. First, the OpenFlow table may still cause a defect in the security module according to the priority and action matching in the OpenFlow of the control plane. Second, flow conflict detection requires more time due to flow tracking and incremental update, whereas in such a case, delay affects the efficiency of SDN. Besides, the SDN algorithm and mechanism have substantially high memory requirement for instruction and proper functioning. Third, most of the available algorithms and detection methods used to avoid flow conflicts have not fully covered the security model policy. This study reviews these limitations and suggest solutions for future research directions

Policy-based Information Sharing using Software-Defined Networking in Cloud Systems

Cloud Computing is rapidly becoming a ubiquitous technology. It enables an escalation in computing capacity, storage and performance without the need to invest in new infrastructure and the maintenance expenses that follow. Security is among the major concerns of organizations that are still reluctant to adopt this technology: The cloud is dynamic, and with so many different parameters involved, it is a diffi cult task to regulate it. With an approach that blends Usage Management and Statistical Learning, this research yielded a novel approach to mitigate some of the issues arising due to questionable security, and to regulate performance (utilization of resources).This research also explored how to enforce the policies related to the resources inside a Virtual Machine(VM), apart from providing initial access control. As well, this research compared various encryption schemes and observed their behavior in the cloud. We considered various components in the cloud to deduce a multi-cost function, which in turn helps to regulate the cloud. While guaranteeing security policies in the cloud, it is essential to add security to the network because the virtual cloud and SDN tie together. Enforcing network-wide policies has always been a challenging task in the domain of communication networks. Software-defined networking (SDN) enables the use of a central controller to define policies, and to use each network switch to enforce policies. While this presents an attractive operational model, it uses a very low-level framework, and is not suitable for directly implement- ing high-level policies. Therefore, we present a new framework for defining policies and easily compiling them from a user interface directly into OpenFlow actions and usage management system processes. This demonstrated capability allows cloud administrators to enforce both network and usage polices on the cloud

Fisheries and Coastal Resources Co-management in Asia: Selected Results from a Regional Research Project

Coastal fisheries, Fishery management, Resource management

Conflict-free access rules for sharing smart patient health records

This research is funded by the EU H2020 project Serums (Securing Medical Data in Smart Patient-Centric Healthcare Systems), grant code 826278.With an increasing trend in personalised healthcare provision across Europe, we need solutions to enable the secure transnational sharing of medical records, establishing granular access rights to personal patient data. Access rules can establish what should be accessible by whom for how long, and comply with collective regulatory frameworks, such as the European General Data Protection Regulation (GDPR). The challenge is to design and implement such systems integrating novel technologies like Blockchain and Data Lake to enhance security and access control. The blockchain module must deal with adequate policies and algorithms to guarantee that no data leaks occur when authorising data retrieval requests. The data lake module tackles the need for an efficient way to retrieve potential granular data from heterogeneous data sources. In this paper, we define a patient-centric authorisation approach, incorporating a structured format for composing access rules that enable secure data retrieval and automatic rules conflict checking.Postprin

Scalable and Reliable Middlebox Deployment

Middleboxes are pervasive in modern computer networks providing functionalities beyond mere packet forwarding. Load balancers, intrusion detection systems, and network address translators are typical examples of middleboxes. Despite their benefits, middleboxes come with several challenges with respect to their scalability and reliability. The goal of this thesis is to devise middlebox deployment solutions that are cost effective, scalable, and fault tolerant. The thesis includes three main contributions: First, distributed service function chaining with multiple instances of a middlebox deployed on different physical servers to optimize resource usage; Second, Constellation, a geo-distributed middlebox framework enabling a middlebox application to operate with high performance across wide area networks; Third, a fault tolerant service function chaining system

Decentralized Decision Making for Limited Resource Allocation Using a Private Blockchain Network in an IoT (Internet of Things) Environment with Conflicting Agents

Blockchains have gotten popular in recent times, owing to the security, anonymity, and lack of any third-party involvement. Blockchains essentially are record keeping tools that record any transactions between involved parties. One of the key aspects of handling and navigating of any autonomous traffic on the streets, is secured and simple means of communication. This thesis explores distribution of minimum resources between multiple autonomous agents, by settling conflicts using events of random nature. The thesis focusses on two specific events, tossing of a coin and the game of rock, paper, and scissors (RPS). An improvement on the traditional game of RPS is further suggested, called rock, paper, scissors, and hammer (RPSH). And then seamless communication interface to enable secure interaction is setup using blockchains with smart contracts. A new method of information exchange called Sealed Envelope Exchange is proposed to eliminate any involvement of third-party agents in the monitoring of conflict resolution. A scenario of assigning the sole remaining parking spot in a filled parking space, between two vehicles is simulated and then the conflict is resolved in a fair manner without involving a third-party agent. This is achieved by playing a fair game of RPSH by using blockchains and simulating cross chain interaction to ensure that any messages and transactions during the game are secured

Solvency, company directors’ duties and the problem of process and enforcement - A comparative study

This study examines the legal provisions in relation to creditors’ protection, particularly when the company is insolvent and seeks to compare different statutory approaches with the view of determining the best reforms for Malaysia. Three jurisdictions have been chosen; the United Kingdom, New Zealand and Australia as the basis of comparison due to similar legal history as these countries have often been referred by the Malaysian Courts to assist in the interpretation of the law. To determine the question of creditors’ protection, the thesis will address several main issues. Firstly, the thesis examines the relationship between separate legal entity and limited liability. To do so it questions the circumstances when directors will be personally liable for the debt of the company and the extent to which they are liable. The issue will be explored in the light of the shareholder primacy theory which forms the basis of company law. Directors’ duties therefore are developed with the view of protecting shareholders; and the failure to do so will cause directors to be personally liable. The thesis also considers the arguments for stakeholders’ theory which mandates directors to take account of other stakeholders’ interests in addition to shareholders’ when making decisions. Secondly, it also investigates on how the piercing of the corporate veil and imposing liability on directors will provide protection to creditors especially when the company is insolvent. In order to do so, it scrutinizes the legislative initiatives on the issue as well as the judicial response to the statute. The thesis traces the reforms of the historical doctrine of capital maintenance and the use of solvency test as a replacement to protect creditors. It also provides comprehensive analyses of the law on the issue of remedies in order to ascertain whether the current legal provisions are adequately to protect creditors

Modelling and Analysis of Network Security Policies

Nowadays, computers and network communications have a pervasive presence in all our daily activities. Their correct configuration in terms of security is becoming more and more complex due to the growing number and variety of services present in a network. Generally, the security configuration of a computer network is dictated by specifying the policies of the security controls (e.g. firewall, VPN gateway) in the network. This implies that the specification of the network security policies is a crucial step to avoid errors in network configuration (e.g., blocking legitimate traffic, permitting unwanted traffic or sending insecure data). In the literature, an anomaly is an incorrect policy specification that an administrator may introduce in the network. In this thesis, we indicate as policy anomaly any conflict (e.g. two triggered policy rules enforcing contradictory actions), error (e.g. a policy cannot be enforced because it requires a cryptographic algorithm not supported by the security controls) or sub-optimization (e.g. redundant policies) that may arise in the policy specification phase. Security administrators, thus, have to face the hard job of correctly specifying the policies, which requires a high level of competence. Several studies have confirmed, in fact, that many security breaches and breakdowns are attributable to administrators’ responsibilities. Several approaches have been proposed to analyze the presence of anomalies among policy rules, in order to enforce a correct security configuration. However, we have identified two limitations of such approaches. On one hand, current literature identifies only the anomalies among policies of a single security technology (i.e., IPsec, TLS), while a network is generally configured with many technologies. On the other hand, existing approaches work on a single policy type, also named domain (i.e., filtering, communication protection). Unfortunately, the complexity of real systems is not self-contained and each network security control may affect the behavior of other controls in the same network. The objective of this PhD work was to investigate novel approaches for modelling security policies and their anomalies, and formal techniques of anomaly analysis. We present in this dissertation our contributions to the current policy analysis state of the art and the achieved results. A first contribution was the definition of a new class of policy anomalies, i.e. the inter-technology anomalies, which arises in a set of policies of multiple security technologies. We provided also a formal model able to detect these new types of anomalies. One of the results achieved by applying the inter-technology analysis to the communication protection policies was to categorize twelve new types of anomalies. The second result of this activity was derived from an empirical assessment that proved the practical significance of detecting such new anomalies. The second contribution of this thesis was the definition of a newly-defined type of policy analysis, named inter-domain analysis, which identifies any anomaly that may arise among different policy domains. We improved the state of the art by proposing a possible model to detect the inter-domain anomalies, which is a generalization of the aforementioned inter-technology model. In particular, we defined the Unified Model for Policy Analysis (UMPA) to perform the inter-domain analysis by extending the analysis model applied for a single policy domain to comprehensive analysis of anomalies among many policy domains. The result of this last part of our dissertation was to improve the effectiveness of the analysis process. Thanks to the inter-domain analysis, indeed, administrators can detect in a simple and customizable way a greater set of anomalies than the sets they could detect by running individually any other model